Re: [CGA-EXT] Last Call: draft-ietf-csi-send-cert (Certificate profile and certificate management for SEND) to Proposed Standard

Suresh Krishnan <suresh.krishnan@ericsson.com> Mon, 03 May 2010 02:48 UTC

Return-Path: <suresh.krishnan@ericsson.com>
X-Original-To: cga-ext@core3.amsl.com
Delivered-To: cga-ext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BCE523A6B7D; Sun, 2 May 2010 19:48:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.403
X-Spam-Level:
X-Spam-Status: No, score=-3.403 tagged_above=-999 required=5 tests=[AWL=-0.804, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OYaxTOuwMMYx; Sun, 2 May 2010 19:48:38 -0700 (PDT)
Received: from imr3.ericy.com (imr3.ericy.com [198.24.6.13]) by core3.amsl.com (Postfix) with ESMTP id A69FB3A6851; Sun, 2 May 2010 19:48:36 -0700 (PDT)
Received: from eusaamw0706.eamcs.ericsson.se ([147.117.20.31]) by imr3.ericy.com (8.13.8/8.13.8) with ESMTP id o432mKvH009128 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Sun, 2 May 2010 21:48:21 -0500
Received: from [142.133.10.113] (147.117.20.212) by eusaamw0706.eamcs.ericsson.se (147.117.20.91) with Microsoft SMTP Server id 8.1.375.2; Sun, 2 May 2010 22:48:19 -0400
Message-ID: <4BDE3946.8070405@ericsson.com>
Date: Sun, 2 May 2010 22:47:34 -0400
From: Suresh Krishnan <suresh.krishnan@ericsson.com>
User-Agent: Thunderbird 2.0.0.24 (X11/20100411)
MIME-Version: 1.0
To: Sean Turner <turners@ieca.com>
References: <20100430135557.183CD3A6C24@core3.amsl.com> <4BDB2C77.6000206@ieca.com> <4BDB5076.8080203@ericsson.com> <4BDC08F6.302@ieca.com>
In-Reply-To: <4BDC08F6.302@ieca.com>
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit
Cc: "cga-ext@ietf.org" <cga-ext@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>
Subject: Re: [CGA-EXT] Last Call: draft-ietf-csi-send-cert (Certificate profile and certificate management for SEND) to Proposed Standard
X-BeenThere: cga-ext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: CGA and SeND Extensions <cga-ext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/cga-ext>
List-Post: <mailto:cga-ext@ietf.org>
List-Help: <mailto:cga-ext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 May 2010 02:48:38 -0000

Hi Sean,
   I will make the changes to the IANA considerations section like you 
suggested. I think it adds clarity about the required assignment.

On 10-05-01 06:56 AM, Sean Turner wrote:
> Suresh,
>>> 4.c) Was there discussion about support for the anyExtendedKeyUsage 
>>> OID from 4.2.1.12 of RFC 5280?
>> No. I am not sure it would be useful as the SEND implementations really 
>> need to know the EKU to work properly. The packet processing is based on 
>> the value of the EKU.
> 
> Hmmm if you're not going to support it, then you might want to 
> put some text in about it not being allowed.  5280 allows 
> applications to reject certificates that include this extension.

OK. I will add the following text at the end of Section 7

"Certificate-using applications MUST reject certificates that do not 
contain one of the three KeyPurposeIds defined above even if they 
include the anyExtendedKeyUsage OID defined in [RFC5280]."

Does this work?

Thanks
Suresh